Authentication through multiple pathways based on device capabilities and user requests

ABSTRACT

There are provided systems and methods for authentication through multiple pathways depending on device capabilities and user requests. A user may wish to utilize some device process, such as unlocking and accessing the device to utilize the device&#39;s operating system or access and use of a device application or other module (e.g., a camera). The device may be protected by an authentication profile that includes one or more authentication pathways in order to authenticate the user to use those processes. The device may collect user data using device components, such as biometrics, user movements, environmental factors, or other information. The device may attempt to authenticate the user through one of the authentication pathways. If the collected user data is insufficient for one pathway, another pathway may be used. If the user is authenticated under any pathway, the device may provide access to the correspond process.

TECHNICAL FIELD

The present application generally relates to utilizing a device'shardware capabilities to detect user data and authorize processes of thedevice and more specifically to authentication through multiple pathwaysbased on device capabilities and user requests.

BACKGROUND

A user may utilize a device, such as a mobile phone, tablet computer, orother type of computing device. During use of the device, the user mayprovide or utilize sensitive information or applications/processes thatexpose the user to potential fraud. Moreover, the user may wish toprotect the device and/or processes of the device in order to concealand protect sensitive information and prevent unauthorized access anduse of the device. In order to do so, the user may set authenticationmethods for processes of the device (e.g., access to the device andapplications or processes executed by the device). Such authenticationmethods may include requirements of a PIN and/or biometric to access theprocesses and may include multifactor authentication. However, theseauthentication methods require knowledge of the authentication passwordor setting the user's biometric with the device. Thus, if the userwishes to allow other users to use certain processes with the device,but does not wish to allow the user to use all processes, the user maybe required to either compromise their device or be present to allowaccess and monitor the other user's use of the device. Additionally,these authentication methods therefore require additional time to enterduring each use of a process and cause extra friction during device use.Moreover, the authentication methods may simply require enteredinformation instead of using all the device capabilities to make acorrect decision in who is using the device and the proper securitylevel to provide such a user.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a networked system suitable forimplementing the processes described herein, according to an embodiment;

FIG. 2 is an exemplary device having device components for determininguser data and a user interface displaying protected device processesrequiring the user data to match one or more authentication profiles foruse, according to an embodiment;

FIG. 3 is an exemplary device database storing authentication profilesfor device processes and determined user data during use of the deviceby a user, according to an embodiment;

FIG. 4 is a flowchart of an exemplary process for authentication throughmultiple pathways depending on device capabilities and user requests,according to an embodiment;

FIG. 5 is a block diagram of a computer system suitable for implementingone or more components in FIG. 1, according to an embodiment; and

FIGS. 6A-6E are exemplary authentication profiles built from user datacollected from device components, according to an embodiment.

Embodiments of the present disclosure and their advantages are bestunderstood by referring to the detailed description that follows. Itshould be appreciated that like reference numerals are used to identifylike elements illustrated in one or more of the figures, whereinshowings therein are for purposes of illustrating embodiments of thepresent disclosure and not for purposes of limiting the same.

DETAILED DESCRIPTION

Provided are methods utilized for authentication through multiplepathways based on device capabilities and user requests. Systemssuitable for practicing methods of the present disclosure are alsoprovided.

A device may include one or more device authentication profiles thatlimit use of associated processes for the communication device andrequire matching user data to authenticate the user for each of theauthentication profiles and allow access to the processes correspondingto each of the authentication profiles. In this regard, authenticationprofiles may be made for processes of the communication device.Processes of the communication device may include access to the deviceand/or the device's operating system, as well as features andcapabilities of the device and/or device operating system. Thus, theprocesses of the device may allow for unlocking the device and operatingthe device. The processes may also include use of device hardware and/orsoftware, such as a messaging and communication module (e.g., networkinterface), a camera, device applications (e.g., messaging and/orpayment applications), and other types of executable processes by thehardware and/or software of the communication device. In otherembodiments, the device processes may also correspond to connecteddevices with the communication device, such as remote sensors, databasesor other storage resources, etc.

One or more users of the communication device may wish to protect theprocesses of the communication device from unauthorized use. Thus, theuser(s) may utilize an authentication module, which may establish theauthentication profile(s) that prevent access and use of one or moreprocesses associated with that authentication profile unless user datacollected during current use of the communication device satisfies therequirements of the authentication profile. The authentication modulemay therefore create an authentication profile for one or moreprocesses, such as unlocking the communication device or utilizing anapplication of the communication device. The authentication profile mayalso be specific to certain processes within the application, forexample, by allowing access and use of some features of the applicationbut preventing or limiting use of other features. The authenticationprofiles may allow access and/or prevent access for one user or a groupof users. In this regard, an exemplary authentication profile may beassociated with a payment module of the communication device and limituse of the payment module to certain users as well as place limits on anamount of payment/transfer using the payment module.

The authentication module may be requested to establish authenticationprofiles for certain process by a user (e.g., owner, operator, and/oradministrator) of the communication device. Thus, the user may specifythe process(es) that require authentication to use. The user may alsoestablish the required user data to be met in order to allowauthenticate a user and allow access to the specified process(es). Forexample, the user may set the parameters for the user data that arerequired to be met to utilize the process. However, in otherembodiments, the authentication profile may determine what user data isrequired to match the authentication profile and allow access to thedevice process(es). In such embodiments, the authentication module maydetermine user data for a user when the user utilizes the communicationdevice. The authentication module may the associate this user data witha specific user. Thus, when the user data is replicated in the future,the authentication module may identify the user and authenticate thatuser for the processes for authentication profiles matching that userdata. Moreover, each authentication profile having required user data tomatch the authentication profile and unlock the associated process(es)may have multiple pathways for authentication by requiring differentuser data in order to verify an identity of the user wishes to accessthose associated process(es) when using the communication device.

In order to establish authentication profiles, the authentication modulemay profile the communication device to determine what device componentsare available to collect and determine user data. In this regard, theauthentication module may review the communication device system anddetermine what device components are available to the authenticationmodule. The device components may correspond to one or more of a networkinterface module, a communication module connected to an external deviceor external sensor, a keypad, a mouse, a touchscreen interface, acamera, a microphone, an accelerometer, a motion detector, anenvironmental detector (e.g., barometer, altimeter, GPS sensor, etc.),and/or a biometric sensor. Thus, user data determined by the devicecomponent(s) may include data about use of the device by the user (e.g.,applications accessed/used, emails sent, messages sent, etc.), inputactions by the user (e.g., typing, scrolling, mouse actions, touchscreenmovements, etc.), motions of the user while using the device (e.g., handthe user holds the device in, angle of holding the device, whether theuser utilizes the device while walking or moving, etc.), informationabout the user (e.g., height of the user, facial recognition and/orimaging, biometric readings, clothing of the user, etc.), and/orreal-world/environmental conditions for an environment that the deviceis used within (e.g., location, temperature, humidity, time of day,light levels, noise, etc.). An authentication profile may thereforerequire user data collected and/or determined by a device component tomatch one of these set parameters for required user data for theauthentication profile in order to unlock and/or allow access toprocess(es) associated with that authentication profile. Moreover, theauthentication profile may further require a password to be added to theauthentication profile with the required user data to meet that profile.

After setting the required user data to be met for an authenticationprofile, during use of the communication device, the authenticationmodule may actively and/or passively collect and determine user dataduring use of the communication device by a user. Based on the user datadetermined during the current session of use of the communicationdevice, the authentication module may perform matching of that user datato authentication profiles to determine whether the user data (andtherefore, the user utilizing the device) matches any of theauthentication profiles. Based on the matching authenticationprofile(s), the authentication module may automatically (e.g., withoutuser input) authenticate the user for the device process(es) associatedwith the matching authentication profile(s) and allow access to thoseprocess(es). The user may therefore seamlessly use such processes thatthe user is authorized to use based on their user data and the matchingauthentication profile(s). However, the user may be prevented from usingdevice process(es) where the user has the incorrect or insufficient userdata to meet the requirements of the associated authentication profile.If the user attempts to use such process(es), the user may be informedthat their authentication is lacking. In various embodiments, the usermay be further informed of how to satisfy the requirements of theauthentication profile, such as what other user input to provide to meetthe authentication profile (e.g., required to enter in a biometricreading).

Moreover, the authentication module may establish authenticationprofiles for device processes without user input requestingestablishment of the authentication profile to protect associated deviceprocesses. For example, the authentication module may execute in thebackground of the operating system of the communication device and mayprofile the device and the user of the device by determined componentsof the device available to the authentication module and collecting userdata about past use of the communication module by the user. Theauthentication module may associate this past user data with processesused by the user concurrently with the user data (e.g., processes usedwhen the user data was collected, active, and/or current). Thus, duringfuture uses of the communication device and/or requests to access thoseprocesses, the authentication module may require user data to match therequirements (e.g., required user data/parameters) in the generatedauthentication profile in order for the user to access those processes.In this regard, the authentication module may also protect the deviceprocesses.

The authentication module may also establish each authentication moduleto authenticate a user using an authentication profile based onavailable user data according to multiple pathways in order to provideaccess to the associated processes. Each pathway may correspond torequired user data by the pathway in the authentication profile in orderto authenticate the user and may require different user data. Forexample, access to a payment module may require one of two differentauthentication pathways in an authentication profile. The firstauthentication pathway may require a user fingerprint biometric, alocation of the user, and a time of day. However, a secondauthentication pathway may require a certain motion to be performed bythe user, detection of the users touch inputs to a touch screen, accessof certain applications by the user, and height detected of the user orof the communication device while being held by the user. Thus, based onavailable user data and device components able to detect the user data,the user may be authenticated for an authentication profile using morethan one pathway. In various embodiments, more than two pathways may beavailable. Moreover, fallback mechanisms may be used in the case ofdevice malfunctioning and/or malfunctioning of one or more devicecomponents in order to allow for the user to access processes of thedevice. The fallback mechanisms may correspond to general multifactorauthentication.

Thus, different authentication pathways (or ways to authenticate a user)may be used to provide access to a user trying to obtain a certainauthentication or to provide access to different authentication levelsor access. For the former, when a first authentication pathway or firsttype of authentication method is unsuccessful (such as due to difficultyin entering a PIN/password, faulty sensor, etc.), a second differentauthentication pathway or second different type of authentication may beused, both for accessing the same level or providing the same level ofauthentication. If the second type of authentication fails, a third onemay be used. As a result, a user device may be able to leveragedifferent ways the device can authenticate a user to provide numerousadvantages, including more flexibility for the user and more control ofdevice access. This enables a processor or other computing device tooperate more efficiently because the processor may not need to processmultiple attempts to authenticate through a faulty or inefficientmethod, but may instead recognize this and provide one or morealternative authentication methods, which may allow less authenticationattempts and thus less time processing authentication requests.

FIG. 1 is a block diagram of a networked system 100 suitable forimplementing the processes described herein, according to an embodiment.As shown, system 100 may comprise or implement a plurality of devices,servers, and/or software components that operate to perform variousmethodologies in accordance with the described embodiments. Exemplarydevice and servers may include device, stand-alone, and enterprise-classservers, operating an OS such as a MICROSOFT® OS, a UNIX® OS, a LINUX®OS, or other suitable device and/or server based OS. It can beappreciated that the devices and/or servers illustrated in FIG. 1 may bedeployed in other ways and that the operations performed and/or theservices provided by such devices and/or servers may be combined orseparated for a given embodiment and may be performed by a greaternumber or fewer number of devices and/or servers. One or more devicesand/or servers may be operated and/or maintained by the same ordifferent entities.

System 100 includes a user 102, a communication device 110, a paymentprovider server 130, and a service provider server 140 in communicationover a network 150. User 102 may utilize communication device 110 toutilize the various features available for communication device 110.Thus, user 102 may wish to access one or more processes of communicationdevice 100, which may be protected and require authentication to accessthe processes. Communication device 110 may determine user data for user102 using device components. Such user data may also be determined frompayment provider server 130 and/or service provider server 140. Usingthe user data, communication device 110 may determine whether the userdata matches one or more required user data for authentication ofprocesses associated with one or more authentication profiles.Communication device 110 may then authorize access to the associatedprocesses of the matching authentication profiles. In variousembodiments, one or more of the processes may be associated with paymentprovider server 130 and/or service provider server 140, such as apayment using a payment module of communication device 110.

Communication device 110, payment provider server 130, and serviceprovider server 140 may each include one or more processors, memories,and other appropriate components for executing instructions such asprogram code and/or data stored on one or more computer readable mediumsto implement the various applications, data, and steps described herein.For example, such instructions may be stored in one or more computerreadable media such as memories or data storage devices internal and/orexternal to various components of system 100, and/or accessible overnetwork 150.

Communication device 110 may be implemented as a communication devicethat may utilize appropriate hardware and software configured for wiredand/or wireless communication with payment provider server 130 and/orservice provider server 140. For example, in one embodiment,communication device 110 may be implemented as a personal computer (PC),a smart phone, laptop/tablet computer, wristwatch with appropriatecomputer hardware resources, eyeglasses with appropriate computerhardware (e.g. GOOGLE GLASS®), other type of wearable computing device,implantable communication devices, and/or other types of computingdevices capable of transmitting and/or receiving data, such as an IPAD®from APPLE®. Although a communication device is shown, the communicationdevice may be managed or controlled by any suitable processing device.Although only one communication device is shown, a plurality ofcommunication devices may function similarly.

Communication device 110 of FIG. 1 contains an authentication module120, a data collection component 112, other applications 114, a database116, and a communication module 118. Authentication module 120 and otherapplications 114 may correspond to executable processes, procedures,and/or applications with associated hardware. In other embodiments,communication device 110 may include additional or different hardwareand software as required.

Authentication module 120 may correspond to one or more processes toexecute modules and associated devices of communication device 110 toestablish authentication profiles to prevent unauthorized access toprocesses of communication device 110, access determined user dataincluding past user data for establishment of the authenticationprofiles, determine whether any authentication profiles match currentuser data when user 102 utilizes communication device 110, and provideauthorization and access to the corresponding processes for the matchingauthentication profiles to the user data. In this regard, authenticationmodule 120 may correspond to specialized hardware and/or softwareutilized by communication device 110 to first establish authenticationprofiles for processes of communication device 110. Each authenticationprofile may be associated with at least one process of communicationdevice 110, such as access to communication device 110 and/or anoperating system of communication device 110, use of a hardware orsoftware component of communication device 110 (e.g., an optical camera,communication module, database or memory, a phone module, an audiocomponent, and/or associated applications and application featuresincluding messaging, payment, and/or social networking applications).The processes may also correspond to features and sub-processes of amain process, such as access and/or authorization rights within anapplication or associated with a hardware component, for example,messaging rights, payment and transfer limits, phone privileges, etc.When establishing the processes to be protected by one or moreauthentication profiles, user 102 or another owner/administrator ofcommunication device 110 may select the processes to protect. However,in other embodiments, authentication module 120 may insteadautomatically select one or more processes to protect from unauthorizeduse with an authentication profile. Authentication module 120 may selectprocesses to protect based on a security requirement of the process,sensitive material associated with the process (e.g., personal orfinancial information), requirement by the process (e.g., set with anadministrative entity for the process, such as a payment provider for apayment module), available types of authentication methods on thedevice, or other known information about the process.

Once the process(es) are selected to protect with an authenticationprofile, authentication module 120 may then set parameters that may berequired to authenticate a user and satisfy the authentication profileso that the user associated with such parameters may access and utilizethe processes protected by the authentication profile. The parametersmay correspond to required user data that must be met to authenticate auser (e.g., user 102) with the authentication profile. The required userdata may be set by user 102 or the owner/administrator of communicationdevice 110 when creating the authentication profile. For example, user102 may require a biometric, time, and location for access to a paymentapplication and/or for payments over $100 in the payment application.However, in other embodiments, user 102 or the owner/administrator mayallow authentication module 120 to select the required user data, suchas based on service provider authentication/risk models. Moreover, inembodiments where authentication module 120 automatically creates one ormore authentication profiles to protect communication device 110,authentication module 120 may also set the required user data. Inembodiments where authentication module 120 selects the required userdata for an authentication profile, authentication module 120 may selectthe required user data for collected and/or determined user data at thetime that an authorized user was utilizing the process. For example,authentication module 120 may detect a user height, location, user inputcharacteristics (e.g., a way the user types, moves the mouse, utilizes atouch screen, scrolls through menus, etc.), and/or other user data whenthe authorized user is utilizing a payment application (e.g., notfraudulently). Authentication module 120 may require this user data forfuture uses of the payment application. Authentication module 120 mayallow for different authentication pathways for an authenticationprofile to allow use of the corresponding processes. For example, if abiometric is not available for the user, authentication module 120 mayallow for the time of day and location to match known user data forauthorized users in order to satisfy the required user data for theauthentication profile. Moreover, authentication module 120 may adaptand change required user data over time to accommodate changingconditions, such as a move to a new address, change in person'sinformation, use of the process, etc.

Once authentication profiles are established by authentication module120, the associated processes of communication device 110 may requirecorresponding authentication profiles to be established to allow accessand use of those processes. Thus, unauthorized user who cannot satisfythe required user data may be prevented from accessing and utilizingsuch processes. In order to determine whether a user is authorized touse one or more processes, authentication module 120 may access currentuser data during use of communication device 110 by user 102. In thisregard, user 102 may generate current user data based on user 102's useof communication device 110. Thus, user data may include biometrics,environment factors, user information, user actions, user input, etc.For example, applications used by user 102 and/or actions within theapplications may be included within the user data, as well as currentbiometrics for user 102. A height and/or position user 102 holds orutilizes communication device 110 or a device component of communicationdevice 110 (e.g., a mouse, keyboard, touch interface, etc.) maycorrespond to user data. User data may include ambient light, noise,location, pressure, humidity, and/or other environmental information.Moreover, user data may be captured by cameras, breathalyzers, scanners,or other types of sensors to determine user data (e.g., facial/bodyrecognition).

In various embodiments, user data may also correspond to data receivedover network 150, for example, from payment provider server 130 and/orservice provider server 140. For example, user data may correspond tosocial networking interactions by user 102 on service provider server140, payments made and/or received using payment provider server 130, orother online actions over network 150 with another device or server. Invarious embodiments, user data may be receives from a device connectedto communication device 110, for example, using short range wirelesscommunications (e.g., a pedometer or other wearable device tracking userbiometrics). Communication device 110 and the connected device maycommunicate over near field communication, Bluetooth, Bluetooth LowEnergy, radio, infrared, LTE Direct, or other communication protocol.Once the current user data is accessed by authentication module 120,authentication module 120 may determine authorizations for user 102based on the user data and the authentication profiles in order to allowuser 102 to access one or more processes. Authentication module 120 mayreceive a request to utilize one or more processes during use ofcommunication device 110, for example, from user 102 when user 102attempts to access those processes. However, in other embodiments,authentication module 120 may constantly process current user data inorder to determine authentications to allow access to processes by user102.

Authentication module 120 may then determine if user 102 may access anduse a process based on the corresponding authentication profile. Asdiscussed herein, user 102 may be authenticated for a process based onone or more pathways within an authentication profile, providing afallback mechanism to allow user 102 to access the process even whereuser data required by one pathway for authentication is unavailable orincorrect (e.g., device malfunction, different user data but authorizeduser, change in circumstances causing new user data, etc.). Onceauthenticated for an authentication profile, authentication module 120may allow user 102 to access and use the corresponding process(es) forthe authentication profile. Authentication module 120 may furthercontinue tracking user data so that if the user data changes to nolonger be compliant with an authentication profile, authenticationmodule 120 may then lock or otherwise prevent access and use of theprocess(es) for the authentication profile until the required user datais again met.

Data collection component 112 may correspond to one or more processesand/or specialized hardware of communication device 110 to collectand/or determine past user data for an authorized user of anauthentication profile and current user data for user 102 during user102's use of communication device 110. In this regard, data collectioncomponent 112 may correspond to specialized hardware and/or softwarethat may collect and/or determine user data during a session of use ofcommunication device 110 by utilizing one or more device components forcommunication device 110. Data collection component 112 may correspondto one or more of a network interface module, a communication moduleconnected to an external device or external sensor, a keypad, a mouse, atouchscreen interface, a camera, a microphone, an accelerometer, amotion detector, an environmental detector (e.g., barometer, altimeter,GPS sensor, etc.), and/or a biometric sensor. Thus, user data determinedby data collection component 112 may include data about use ofcommunication device 110 by user 102 (e.g., applications accessed/used,emails sent, messages sent, etc.), input actions by user 102 (e.g.,typing, scrolling, mouse actions, touchscreen movements, etc.), motionsof user 102 while using communication device 110 (e.g., hand user 102holds communication device 110 in, angle of holding communication device110, whether user 102 utilizes communication device 110 while walking ormoving, etc.), information about user 102 (e.g., height of user 102,facial recognition and/or imaging, biometric readings, clothing of user102, etc.), and/or real-world/environmental conditions for anenvironment that communication device 110 is used within (e.g.,location, temperature, humidity, time of day, light levels, noise,etc.). Data collection module 112 may store the determined user data todatabase 116 for use with authentication profiles.

Authentication module 120 may further determine a device profile forcommunication device 110 based on the capabilities of data collectioncomponent 112, for example, what user data can be collected and/ordetermined using data collection component 112. The device profile maybe used to determine an authentication pathway for an authenticationprofile. Thus, based on capabilities of data collection component 112and the user data determined by data collection component 112,authentication module 120 may determine authentication profiles and adevice profile for available authentication mechanisms through requireduser data determined by data collection component 112 for thatauthentication mechanism.

In various embodiments, communication device 110 includes otherapplications 114 as may be desired in particular embodiments to providefeatures to communication device 110. For example, other applications114 may include security applications for implementing client-sidesecurity features, programmatic client applications for interfacing withappropriate application programming interfaces (APIs) over network 150,or other types of applications. Other applications 114 may also includeemail, texting, voice and IM applications that allow a user to send andreceive emails, calls, texts, and other notifications through network150. In various embodiments, other applications 114 may includefinancial applications, such as banking, online payments, moneytransfer, or other applications associated with a payment provider, suchas a payment application, which may be limited in use by authenticationprofiles requiring authentication through user data for use of variousprocesses. As previously discussed, other applications may includesocial networking applications and/or merchant applications. Otherapplications 114 may include device interfaces and other display modulesthat may receive input from user 102 and/or output information to user102. For example, other applications 114 may contain software programs,executable by a processor, including a graphical user interface (GUI)configured to provide an interface to the user.

Communication device 110 may further include database 116 stored to atransitory and/or non-transitory memory of communication device 110,which may store various applications and data and be utilized duringexecution of various modules of communication device 110. Thus, database116 may include, for example, identifiers such as operating systemregistry entries, cookies associated with authentication module 120and/or other applications 114, identifiers associated with hardware ofcommunication device 110, or other appropriate identifiers, such asidentifiers used for payment/user/device authentication oridentification. Database 116 may include authentication profiles as wellas authentication profile data, such as associated processes protectedby the authentication profile and require user data to performauthentication for the profiles. Additionally, user data collected bydata collection component 112 may be stored to database 116 for use withthe authentication profiles.

Communication device 110 includes at least one communication module 118adapted to communicate with payment provider server 130 and/or serviceprovider server 140. In various embodiments, communication module 118may include a DSL (e.g., Digital Subscriber Line) modem, a PSTN (PublicSwitched Telephone Network) modem, an Ethernet device, a broadbanddevice, a satellite device and/or various other types of wired and/orwireless network communication devices including microwave, radiofrequency, infrared, Bluetooth, and near field communication devices.Communication module 118 may communicate directly with nearby devicesusing short range communications, such as Bluetooth Low Energy, LTEDirect, WiFi, radio frequency, infrared, Bluetooth, and near fieldcommunications.

Payment provider server 130 may be maintained, for example, by an onlinepayment service provider, which may provide payment services and/orprocessing for financial transactions on behalf of users. In thisregard, payment provider server 130 includes one or more processingapplications which may be configured to interact with communicationdevice 110, service provider server 140, and/or another device/server tofacilitate payment for a transaction. In one example, payment providerserver 130 may be provided by PAYPAL®, Inc. of San Jose, Calif., USA.However, in other embodiments, payment provider server 130 may bemaintained by or include a credit provider, financial services provider,financial data provider, and/or other service provider, which mayprovide payment services to user 102.

Payment provider server 130 of FIG. 1 includes payment account module132, other applications 144, a database 146, and a network interfacecomponent 138. Payment account module 132 and other applications 144 maycorrespond to executable processes, procedures, and/or applications withassociated hardware. In other embodiments, payment provider server 130may include additional or different modules having specialized hardwareand/or software as required.

Payment account module 132 may correspond to one or more processes toexecute modules and associated specialized hardware of payment providerserver 130 to receive and/or transmit information from communicationdevice 110 for establishment of payment accounts and processing andcompletion of one or more transactions initiated by user 102 using thepayment accounts. In this regard, payment account module 132 maycorrespond to specialized hardware and/or software to establish paymentaccounts, which may be utilized to send and receive payments andmonetary transfers and engage in other financial transactions. User 102may establish a payment account with payment account module 132 byproviding personal and/or financial information to payment providerserver 130 and selecting an account login, password, and other securityinformation. The payment account may be accessed through a browserapplication and/or dedicated payment application executed bycommunication device 110. Thus, communication device 110 may protect andlimit use of the payment account or other payment services offered bypayment provider server 130 using authentication profiles, as discussedherein.

Payment module 132 may further process a received transaction fromcommunication device 110 by receiving the transaction from communicationdevice 110 with a payment request for a payment for the transaction. Thepayment request may correspond to a payment token, including a paymentinstrument and identification of the transaction, and may be encryptedprior to transmission to payment account module 132 to preventunauthorized receipt of a payment instrument. The payment token mayinclude information corresponding to user identifiers, user financialinformation/identifiers, transaction information and/or otheridentifiers. Additionally, the payment token may include a paymentamount and terms of payment for the transaction. Once received, paymentaccount module 132 may utilize a payment account or financialinformation (e.g., a payment instrument such as a credit/debit card,bank account, etc.) of user 102 to render payment for the transaction.Payment account module 132 may receive purchase authorizations, incertain embodiments, and process payments for transaction in accordancewith the purchase authorizations. Payment may be made to a merchantdevice or another user device using the payment instrument and the termsof the payment request. Additionally, payment account module 132 mayprovide transaction histories, including receipts, to communicationdevice 110.

In various embodiments, payment provider server 130 includes otherapplications 134 as may be desired in particular embodiments to providefeatures to payment provider server 134. For example, other applications134 may include security applications for implementing server-sidesecurity features, programmatic client applications for interfacing withappropriate application programming interfaces (APIs) over network 150,or other types of applications. Other applications 134 may containsoftware programs, executable by a processor, including a graphical userinterface (GUI), configured to provide an interface to user 102 whenaccessing payment provider server 134. In various embodiments where notprovided by payment account module 132, other applications 134 mayinclude connection and/or communication applications, which may beutilized to communicate information to over network 150.

Additionally, payment provider server 130 includes database 146. Aspreviously discussed, user 102 and/or the merchant corresponding tomerchant location 130/merchant server 140 may establish one or morepayment accounts with payment provider server 130. Payment accounts indatabase 146 may include user/merchant information, such as name,address, birthdate, payment/funding information, additional userfinancial information, and/or other desired user data. User 102 and/orthe merchant may link to their respective payment accounts through auser, merchant, and/or device identifier. Thus, when an identifier istransmitted to payment provider server 130, e.g. from communicationdevice 110, merchant devices 132, and/or merchant server 140, a paymentaccount belonging to user 102 and/or the merchant may be found. Paymentamounts may be deducted from one payment account and paid to anotherpayment account. In other embodiments, user 102 and/or the merchant maynot have previously established a payment account and may provide otherfinancial information to payment provider server 130 to completefinancial transactions, as previously discussed.

In various embodiments, payment provider server 130 includes at leastone network interface component 138 adapted to communicate communicationdevice 110, merchant devices 132, and/or merchant server 140 overnetwork 150. In various embodiments, network interface component 138 maycomprise a DSL (e.g., Digital Subscriber Line) modem, a PSTN (PublicSwitched Telephone Network) modem, an Ethernet device, a broadbanddevice, a satellite device and/or various other types of wired and/orwireless network communication devices including microwave, radiofrequency (RF), and infrared (IR) communication devices.

Service provider server 140 may be maintained, for example, by a serviceprovider entity, which may provide services to user 102, which mayprovide data and/or information to communication device 110 fordetermining user data and authorizing user 102 with communication device110. In this regard, service provider server 140 includes one or moreprocessing applications which may be configured to interact withcommunication device 110 and/or payment provider server 130 over network150 to provide information to communication device 110. In one example,service provider server 140 may be provided by EBAY®, Inc. of San Jose,Calif., USA and/or STUBHUB®, Inc, of San Francisco, Calif., USA.However, in other embodiments, service provider server 140 may bemaintained by or include another type of service provider, such as asocial networking, messaging, location services, travel, biometricanalysis, and/or other type of service provider.

Service provider server 140 of FIG. 1 includes a service module 142,other applications 144, a database 146, and a communication module 148.Service module 142 and other applications 144 may correspond toexecutable processes, procedures, and/or applications with associatedhardware. In other embodiments, service provider server 140 may includeadditional or different modules having specialized hardware and/orsoftware as required.

Service module 142 may correspond to one or more processes to executemodules and associated specialized hardware of service provider server140 to provide a service to user 102, which may generate data and/orinformation used to determine user data for user 102, and provide suchinformation to communication device 110. In this regard, service module142 may correspond to specialized hardware and/or software to hostand/or provide a service to user 102, which may include or be associatedwith calendaring, social networking, messaging, mapping and travelrouting, location, biometrics, shopping, and/or other types of services.Thus, service module 142 may host a website offering the aforementionedservices or provide such services through a dedicated applicationavailable for use with a communication device (e.g., an email serveraccessible through a website/application, a social networking server,etc.). Service module 142 may facilitate the generation ofdata/information used to determine user data for user 102 by generatingthe data/information related to actions by user 102 using the service.The information may include exchanged messages, shopping actions,locations, etc. Service module 142 may also provide actions and/orinteractions by user 102 using services. A map, location, and/or travelroute by user 102 may be used to determine a location for user 102.Service module 142 may also provide biometrics used to determine userdata. For example, biometrics may be used to determine when user 102 isexercising, when user 102 sleeps, a user's heart rate, a user'sfingerprint or facial recognition information, etc. Service module 142may also provide shopping information, which may be used to determine auser's common actions.

In various embodiments, service provider server 140 includes otherapplications 144 as may be desired in particular embodiments to providefeatures to service provider server 140. For example, other applications144 may include security applications for implementing server-sidesecurity features, programmatic client applications for interfacing withappropriate application programming interfaces (APIs) over network 150,or other types of applications. Other applications 144 may containsoftware programs, executable by a processor, including a graphical userinterface (GUI), configured to provide an interface to user 102 whenaccessing service provider server 140. In various embodiments where notprovided by service module 142, other applications 144 may includeconnection and/or communication applications, which may be utilized tocommunicate information to over network 150.

Additionally, service provider server 140 includes database 146.Database 146 may be utilized to store information utilized by one ormore modules and/or applications of service provider server 140,including service module 142 and/or other applications 144. In thisregard, database 146 may include received and/or determined information,including identifiers and other identification information. Informationand data generated using service provider server 140 by user 102 and foruse in determining user data for user 102.

In various embodiments, service provider server 140 includes at leastone communication module 148 adapted to communicate communication device110 and/or payment provider server 130 over network 150. In variousembodiments, communication module 148 may comprise a DSL (e.g., DigitalSubscriber Line) modem, a PSTN (Public Switched Telephone Network)modem, an Ethernet device, a broadband device, a satellite device and/orvarious other types of wired and/or wireless network communicationdevices including microwave, radio frequency (RF), and infrared (IR)communication devices.

Network 150 may be implemented as a single network or a combination ofmultiple networks. For example, in various embodiments, network 150 mayinclude the Internet or one or more intranets, landline networks,wireless networks, and/or other appropriate types of networks. Thus,network 150 may correspond to small scale communication networks, suchas a private or local area network, or a larger scale network, such as awide area network or the Internet, accessible by the various componentsof system 100.

FIG. 2 is an exemplary device having device components for determininguser data and a user interface displaying protected device processesrequiring the user data to match one or more authentication profiles foruse, according to an embodiment. Environment 200 includes communicationdevice 110 from environment 100 of FIG. 1 executing module and processesdiscussed in reference to environment 100. Thus, communication device110 includes a device interface 1000 that may be used to display one ormore processes that may be protected by one or more authenticationprofiles from unauthorized use.

Device interface 1000 may correspond to a display interface where user102 may view processes executed by communication device 110 and interactwith such processes through user input. Thus, device interface 1000 mayinclude a device operating system 1100, which may require a current userauthentication 1102 for use of various processes of device operatingsystem 1100 by a user while the user utilizes communication device 110.For example, device operating system 1100 may execute a requested deviceprocess 1104 but require current user authentication to match a requiredauthentication 1106 for requested device process 1104. In this regard,communication device 110 may make an authentication determination 1108using user data 1110, which may be used to determine current userauthentication 1102, which may include an authorization to userrequested device process 1104. Moreover, based on user data 1110, otherauthentication paths 1112 may be selected based on the capabilities ofcommunication device 110 and/or available data in user data 1110.

In order to collect user data 1110, communication device 110 may utilizeone or more device components to collect and/or determine user data1110. Thus, communication device 110 may include input/output modules1102, such as a mouse, keyboard, touchscreen interface, etc., which maycollect input from a user utilizing communication device 110 and outputinformation to the user. Moreover, communication device 110 may includeaudio modules, such as a microphone and speaker, which may detect auser's voice, voice input, and/or environmental noise. Additionally,communication device 110 may detect user data through a biometric sensor1006 and/or accelerometer 1008, including fingerprints, facialrecognition information, heartbeat, motions, height, etc. Communicationdevice 110 may detect ambient light levels, atmospheric pressure,humidity, etc., through environmental sensor 1010. Communication module110 may also receive user data over a network connection or throughshort range wireless communications with a nearby device usingcommunication module 1012. In various embodiments, communication device110 may include further or different sensors and device components.

FIG. 3 is an exemplary device database storing authentication profilesfor device processes and determined user data during use of the deviceby a user, according to an embodiment. Environment 300 of FIG. 3includes communication device 110 from environment 100 of FIG. 1executing module and processes discussed in reference to environment100.

Communication device 310 executes a check-in module 320 correspondinggenerally to the specialized hardware and/or software modules andprocesses described in reference to authentication module 120 of FIG. 1.In this regard, database 116 stores information discussed in referenceto environment 100 of FIG. 1, such as authentication profiles 1200 anduser data 1300.

Authentication profiles 1200 includes a profile one 1202, a profile two1210, device capabilities 1218, and fallback mechanism 1200. Profile one1202 may correspond to an authentication profile that may allow accessand use of one or more processes when user data matches the requirementsof profile one 1202. Thus, profile one 1202 includes required user data1204, which may include user data required to be authenticated underprofile one 1202. When user data 1300 matches required user data 1204,communication device 110 may allow access to authorized processes 1206.In various embodiments, required user data 1204 may include more thanone authentication pathways, each requiring different user data forauthentication under profile one 1202. Profile one 1202 may also includeestablishment information 1208 generated during establishment of profileone 1202, which may be used to update profile one 1202 when requireduser data 1204 changes based on changed circumstances. Similarly,profile two 1210 also includes required user data 1212, authorizedprocesses 1214, and establishment information 1216. An authorizationmodule may also profile communication device to determine devicecapabilities 1218, which may correspond to available device componentsused to determine user data and authorize a user under profile one 1202and/or profile two 1210. Moreover, a fallback mechanism 1220 may be usedto authorize a user in the event that one or more device components arefaulty.

Database 116 also stores user data 1300 determined by device componentsof communication device 110. User data 1300 may include collected data1302, which may also be required to be processed and determined in userdata 1300 (e.g., detection of a motion used to determine a height of auser). Collected data 1302 includes sensor data 1304 collected fromdevice sensor components (e.g., a biometric sensor, camera, etc.).Collected data 1302 may also include application data 1306 determinedfrom applications executed by communication device 110 and network data1308 received over a network connection by communication device 110. Invarious embodiments, collected data 1302 may also include data receivedfrom connected device 1310.

FIG. 4 is a flowchart of an exemplary process for authentication throughmultiple pathways depending on device capabilities and user requests,according to an embodiment. Note that one or more steps, processes, andmethods described herein may be omitted, performed in a differentsequence, or combined as desired or appropriate.

At step 402, user data collected by the communication device for a userin possession of the communication device is accessed, by a userauthentication module of a communication device comprising at least onehardware processor. The user data may be collected by a devicecomponent, such as one or more of a network interface module, acommunication module connected to an external device or external sensor,a keypad, a mouse, a touchscreen interface, a camera, a microphone, anaccelerometer, a motion detector, an environmental detector, and abiometric sensor. The communication device may further determine theuser data using a communication device application. For example, thedevice application may comprise one of a messaging application, a socialnetworking application, a payment application, a shopping application,an email application, a media sharing or editing application, and animaging application associated with a camera device corresponding to thecommunication device.

At step 404, a plurality of authentication profiles for thecommunication device is accessed, by the user authentication module,wherein each of the authentication profiles allows access to at leastone process executed by the communication device. The authenticationprofiles may be determined based on user actions. The user actions maycomprise past actions by the user when using the communication deviceduring at least one past use of the communication device by the user.The communication device may collect or determine the past actionsduring use of the at least one process associated with the at least, onematching profile. The user actions may comprise at least one of use ofthe communication device, input actions with the communication device,motions while using the communication device, and real-world conditionsof an environment for the communication device during the use of thecommunication device.

In various embodiments, each of the authentication profiles may bedifferent for at least one of a type of the at least one processassociated with the each of the authentication profiles and a use of theat least one process associated with the each of the authenticationprofiles by the user. The use of the at least one process may bedetermined based on the user's request within the at least one process.The at least one process may comprise access to utilize thecommunication device or the communication device's operating system. Inother embodiments, the at least one process may correspond to anapplication executed by the communication device. The application maycomprise a payment application of the communication device utilizing apayment provider.

At least one matching profile using the user data and the plurality ofauthentication profiles is determined, by the user authenticationmodule, at step 406. The at least one process associated with the atleast one matching profile may correspond to a payment applicationexecuted by the communication device. Use of the payment application maybe limited by the at least one matching profile. In various embodiments,the user may determine the authentication profiles based on requirementsfor device and application security. Thus, at step 408, access to atleast one process associated with the at least one matching profile isauthorized, by the user authentication module. Moreover, a change in theuser data may be received, and the authorization may further determineif the change in the user data is compliant with the at least oneprocess associated with the at least one matching profile and currentlyauthorized by the user authentication module. Additionally, theauthorization module may further determine whether the change furthermatches additional profiles in the authentication profiles. If so,access to at least one process associated with the additional profilesnay be authorized.

FIG. 5 is a block diagram of a computer system suitable for implementingone or more components in FIG. 1, according to an embodiment. In variousembodiments, the communication device may comprise a personal computingdevice (e.g., smart phone, a computing tablet, a personal computer,laptop, a wearable computing device such as glasses or a watch,Bluetooth device, key FOB, badge, etc.) capable of communicating withthe network. The service provider may utilize a network computing device(e.g., a network server) capable of communicating with the network. Itshould be appreciated that each of the devices utilized by users andservice providers may be implemented as computer system 500 in a manneras follows.

Computer system 500 includes a bus 502 or other communication mechanismfor communicating information data, signals, and information betweenvarious components of computer system 500. Components include aninput/output (I/O) component 504 that processes a user action, such asselecting keys from a keypad/keyboard, selecting one or more buttons,image, or links, and/or moving one or more images, etc., and sends acorresponding signal to bus 502. I/O component 504 may also include anoutput component, such as a display 511 and a cursor control 513 (suchas a keyboard, keypad, mouse, etc.). An optional audio input/outputcomponent 505 may also be included to allow a user to use voice forinputting information by converting audio signals. Audio I/O component505 may allow the user to hear audio. A transceiver or network interface506 transmits and receives signals between computer system 500 and otherdevices, such as another communication device, service device, or aservice provider server via network 150. In one embodiment, thetransmission is wireless, although other transmission mediums andmethods may also be suitable. One or more processors 512, which can be amicro-controller, digital signal processor (DSP), or other processingcomponent, processes these various signals, such as for display oncomputer system 500 or transmission to other devices via a communicationlink 518. Processor(s) 512 may also control transmission of information,such as cookies or IP addresses, to other devices.

Components of computer system 500 also include a system memory component514 (e.g., RAM), a static storage component 516 (e.g., ROM), and/or adisk drive 517. Computer system 500 performs specific operations byprocessor(s) 512 and other components by executing one or more sequencesof instructions contained in system memory component 514. Logic may beencoded in a computer readable medium, which may refer to any mediumthat participates in providing instructions to processor(s) 512 forexecution. Such a medium may take many forms, including but not limitedto, non-volatile media, volatile media, and transmission media. Invarious embodiments, non-volatile media includes optical or magneticdisks, volatile media includes dynamic memory, such as system memorycomponent 514, and transmission media includes coaxial cables, copperwire, and fiber optics, including wires that comprise bus 502. In oneembodiment, the logic is encoded in non-transitory computer readablemedium. In one example, transmission media may take the form of acousticor light waves, such as those generated during radio wave, optical, andinfrared data communications.

Some common forms of computer readable media includes, for example,floppy disk, flexible disk, hard disk, magnetic tape, any other magneticmedium, CD-ROM, any other optical medium, punch cards, paper tape, anyother physical medium with patterns of holes, RAM, PROM, EEPROM,FLASH-EEPROM, any other memory chip or cartridge, or any other mediumfrom which a computer is adapted to read.

In various embodiments of the present disclosure, execution ofinstruction sequences to practice the present disclosure may beperformed by computer system 500. In various other embodiments of thepresent disclosure, a plurality of computer systems 500 coupled bycommunication link 518 to the network (e.g., such as a LAN, WLAN, PTSN,and/or various other wired or wireless networks, includingtelecommunications, mobile, and cellular phone networks) may performinstruction sequences to practice the present disclosure in coordinationwith one another.

FIGS. 6A-6E are exemplary authentication profiles built from user datacollected from device components, according to an embodiment. Forexample, FIG. 6A shows a plurality of authentication profiles havingvarious required user data for authentication. In FIG. 6B, data may beoutput based on analysis of the data, for example, to recognize anentity. FIG. 6C shows multiple available types of user data, which maybe used to build an authentication profile for a device. In FIG. 6D, anexemplary flowchart shows how to determine a device authenticationprofile. Moreover, in FIG. 6E, authentication profile chains may bebuilt for authenticating users across various devices based availableattributes and authentication profiles (security profiles).

Where applicable, various embodiments provided by the present disclosuremay be implemented using hardware, software, or combinations of hardwareand software. Also, where applicable, the various hardware componentsand/or software components set forth herein may be combined intocomposite components comprising software, hardware, and/or both withoutdeparting from the spirit of the present disclosure. Where applicable,the various hardware components and/or software components set forthherein may be separated into sub-components comprising software,hardware, or both without departing from the scope of the presentdisclosure. In addition, where applicable, it is contemplated thatsoftware components may be implemented as hardware components andvice-versa.

Software, in accordance with the present disclosure, such as programcode and/or data, may be stored on one or more computer readablemediums. It is also contemplated that software identified herein may beimplemented using one or more general purpose or specific purposecomputers and/or computer systems, networked and/or otherwise. Whereapplicable, the ordering of various steps described herein may bechanged, combined into composite steps, and/or separated into sub-stepsto provide features described herein.

The foregoing disclosure is not intended to limit the present disclosureto the precise forms or particular fields of use disclosed. As such, itis contemplated that various alternate embodiments and/or modificationsto the present disclosure, whether explicitly described or impliedherein, are possible in light of the disclosure. Having thus describedembodiments of the present disclosure, persons of ordinary skill in theart will recognize that changes may be made in form and detail withoutdeparting from the scope of the present disclosure. Thus, the presentdisclosure is limited only by the claims.

What is claimed is:
 1. A system comprising: a user authentication moduleof a communication device comprising at least one hardware processorthat accesses user data determined by the communication device for auser in possession of the communication device, accesses authenticationprofiles for the communication device, wherein each of theauthentication profiles allows access to at least one process executedby the communication device, determines at least one matching profileusing the user data and at least one of the authentication profiles, andprovides access to at least one process associated with the at least onematching profile; a database stored to a non-transitory memory thatstores the authentication profiles and the user data; and at least onedevice component that determines the user data.
 2. The system of claim1, wherein the device component comprises one of a network interfacemodule, a communication module connected to an external device orexternal sensor, a keypad, a mouse, a touchscreen interface, a camera, amicrophone, an accelerometer, a motion detector, an environmentaldetector, and a biometric sensor.
 3. The system of claim 1, wherein thecommunication device further determines the user data using acommunication device application.
 4. The system of claim 3, wherein thedevice application comprises one of a messaging application, a socialnetworking application, a payment application, a shopping application,an email application, a media sharing or editing application, and animaging application associated with a camera device corresponding to thecommunication device.
 5. The system of claim 1, wherein theauthentication profiles are determined based on user actions.
 6. Thesystem of claim 5, wherein the user actions comprise past actions by theuser when using the communication device during at least one past use ofthe communication device by the user.
 7. The system of claim 6, whereinthe communication device collects or determines the past actions duringuse of the at least one process associated with the at least onematching profile.
 8. The system of claim 5, wherein the user actionscomprises at least one of use of the communication device, input actionswith the communication device, motions while using the communicationdevice, and real-world conditions of an environment for thecommunication device during the use of the communication device.
 9. Thesystem of claim 1, wherein each of the authentication profiles aredifferent for at least one of a type of the at least one processassociated with the each of the authentication profiles and a use of theat least one process associated with the each of the authenticationprofiles by the user.
 10. The system of claim 9, wherein the use of theat least one process is determined based on the user's request withinthe at least one process.
 11. The system of claim 1, wherein the atleast one process comprises access to utilize the communication deviceor the communication device's operating system.
 12. The system of claim1, wherein the at least one process corresponds to an applicationexecuted by the communication device.
 13. The system of claim 12,wherein the application comprises a payment application of thecommunication device utilizing a payment provider.
 14. A methodcomprising: receiving, by a user authentication module of acommunication device comprising at least one hardware processor, anauthentication request from a user through the communication device;accessing, by the user authentication module, first user data providedby the user in the authentication request; accessing, by the userauthentication module, an authentication profile for the communicationdevice associated with the authentication request, wherein theauthentication profile allows access to at least one process executed bythe communication device; determining, by the user authenticationmodule, that the user cannot be authenticated using the first user data;and determining, by the user authentication module, second user data forthe user using at least one device component of the communicationdevice.
 15. The method of claim 14, wherein the first user data isdifferent from the second user data.
 16. The method of claim 15, furthercomprising: authorizing, by the user authentication module, access to atleast one process associated with the authentication profile if the usercan be authenticated using the second user data with the authenticationprofile.
 17. The method of claim 16, wherein the authentication profilecomprises a plurality of authentication pathways, and wherein the seconduser data matches one of the plurality of authentication pathways. 18.The method of claim 16, wherein the authentication profile comprises aplurality of authentication pathways, and wherein the first user datadoes not match any of the authentication pathways.
 19. The method ofclaim 15, wherein the first user data comprises a biometric, a password,a PIN, audio, or an image.
 20. A non-transitory computer-readable mediumcomprising executable modules which, in response to execution by acomputer system, cause the computer system to perform a methodcomprising: accessing, by a user authentication module of acommunication device comprising at least one hardware processor, userdata collected by the communication device for a user in possession ofthe communication device; accessing, by the user authentication module,a plurality of authentication profiles for the communication device,wherein each of the authentication profiles allows access to at leastone process executed by the communication device; determining, by theuser authentication module, at least one matching profile using the userdata and the plurality of authentication profiles; and authorizing, bythe user authentication module, access to at least one processassociated with the at least one matching profile.